Description

Security researcher J23 reported via
TippingPoint's Zero Day Initiative that an array class used to store
CSS values contained an integer overflow vulnerability. The 16 bit
integer value used in allocating the size of the array could overflow,
resulting in too small a memory buffer being created. When the array
was later populated with CSS values data would be written past the end
of the buffer potentially resulting in the execution of
attacker-controlled memory.